Mobility AnyConnect client configuration suggestions

We used IPSEC VPN 30XXs and ACS 4.3 (or 4.2?) with the former VPN clients but with Windows 10 years we can do is more work. Time for Anyconnect.   We have a few ASA 5510 / 5520 s with the Anyconnect Premium peer support so that we can move out of IPsec. I have it works using TLS with CAS but I think we need a new version of the AAA server too.

Questions... What is the way better / cheaper to use a bit of a two-factor authentication. Currently it seems using GBA only a user name and password (no user/psw group) is used to authenticate in. A cert paid on the 55xxs to avoid the problem of security is not a problem, but for each client CERT would be cumbersome to manage. ICS seems to be the way forward for the management of users unless there is a compatible more easy/less expensive product.

Directions of the best way to go would be appreciated as there seems to be a lot of options - all at additional costs. We want a complete IP connectivity that we have with IPsec, since we also have Citrix GW for specialized connections.

The only options interested is to check for a virus protection service. We do not allow tunneling split for users allow I got it during the test (Split tunneling only for admin users).

We'll stay with Anyconnect 3.x since it's free and supported for 3 years more than what I read. AC 4.x seems to involve extra cost of client of what we currently have.

Thank you!

If you're handy with Windows server and want to stay on the road of low cost, issues the certificates users using CEP through the ASA proxy protocol. Then their certificate issued is the first authentication method, and the second is their password.

You can even set the ASA to remove the user name of the certificate automatically and prevent the user from typing in anything else if you so desire.

Take a look at the Cisco Live presentation "BRKSEC-3053 practical PKI for remote VPN access" San Diego 2015. It is a very complete guide for this operation (and the use of EHT as well).

https://www.ciscolive.com/online/connect/sessionDetail.WW?SESSION_ID=837...

If you want to party, I was very favorably impressed by the Duo safety-2FA solution. You do not pay a subscription but its quite reasonable price. They have a few step-by-step guides that are very well made.

https://www.duosecurity.com/docs/Cisco

Tags: Cisco Security

Similar Questions

  • AnyConnect client perform on ASA Server cert revocation checking? Can be configured?

    Environment: AnyConnect Secure Mobility Client v 3.1.04066

    The AnyConnect client performs a check of the revocation of the certificate server returned by the SAA during an installation of the VPN program?  If so, should I use the info on the AIA server certificate, or can the OCSP or URL CRLDP be configured in the client?

    And server certificates revocation checking can be disabled (for example in the profile, or an update of the register)?

    Note that I speak NOT of the SAA on the submitted client certificate revocation checking.  All my extensive google-fu could only find information on this topic - but this is different, this is similar to a browser revocation checking on server of a Web site certificate.

    We evaluate using an identity certificate from an internal CA for the VPN profile - but there is a catch-22/egg of the chicken problem if the AnyConnect client performs a check required of OCSP on cert, since there is no access to the OCSP URL until this only after connected. This could be resolved by having for example a CRLDP the external URL to a .crl file, or suppressor revocation checks in the AnyConnect client.

    Thank you!

    I think at some point, this has been replaced of anyconnect, because he was the cause of many problems, but has been reintroduced in anyconnect 4.1, but still not enabled by default. So no, I don't think that the version you are using is doing this.

  • SSL VPN without disabled in ASA5505 after the Activation of the AnyConnect client

    Hello everyone,

    I am facing a problem with the VPN service in ASA 5505. Initially, I was using SSL VPN without customer who was working absolutely fine, no problem. Recently I bought AnyConnect Essentials License with license AnyConnect VPN, Mobile (for focusing on the Client SSL VPN Service for desktop and mobile respectively) and have activated these keys inside of the firewall. After that I may be able to connect to based on the VPN Client, using the AnyConnect client. Clientless VPN access is not allowing you to connect and displays an error (see the attached screenshot).

    I created two VPN profiles Viz, basic (for clientless VPN) and rvsvpn (for client based VPN). Download the AnyConnect Client I can connect to the rvsvpn profile. But if I try to connect using the basic profile, it throws an error has been to what is displayed in the exhibition.

    Please help me in this regard, as what can be done to use both the vpn connection profile. Or what the use of AnyConnect disables client access?

    Waiting for your help.

    Thanks in advance.

    Samrat.

    "Anyconnect essentials" in your configuration command to disable all profiles without customer (as well as other features that require the Premium license).

    Essentials and Premium are mutually exclusive as the performance of duties. You can have both installed licenses, but only use one or the other (and never both at once) in your running configuration.

  • AnyConnect client profile

    When I deploy a clent on Cisco ASA, web deployment, but anyconnect client profile has been installed by file .msi locally on the pc, client anyconnect gets made profile updates on Cisco ASA? or is - this client anyconnect required to be downloaded, installed through Cisco ASA to get the profile desired?

    The profile.xml appropriate (or whatever you named it when you configure the profile on the SAA) should be automatically downloaded (or updated if changes have been made) as part of the connection process once that the user has chosen the connection profile and initiated the connection.

    By default (in Windows 7), these files are stored in the hidden directory C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile

  • Issue of license Mobile AnyConnect

    I have an ASA 5505 with a basic license allowing 2 concurrent SSL connections via the AnyConnect client.  If I want to allow two devices to use the AnyConnect VPN connections do I just need to buy two AnyConnect Mobile phone licenses (L-ASA-AC-M-5505 =) and apply them to the 5505?

    Thank you!

    Relative to the issuance of permits, a single license AnyConnect Mobile allows mobile clients to use AnyConnect meets the limit of bonus (in your case) or licenses essential already licensed and active on the SAA. that is, only a reference number unique mobile license must be purchased.

    Of course, you also need to configure remote VPN access.

  • Wierd NAT with AnyConnect client behavior

    Hello

    I have a problem with our customers AnyConnect not being able to access a particular resource that exists on a 3rd party VPN.

    Both the AnyConnect customers & 3rd Party Site to Site VPN terminate on the external Interface of the ASA.

    There is a NAT configuration between the 3rd party and our ASA network so that we share the 192.168.40.0/24 subnet. 25 first is for 3rd party guests & the second 25 is for our guests.

    We are trying to access a service on 192.168.40.10

    The NAT rule that I have in place to achieve this goal is

    Source = sub-VPN-network Dest = 192.168.40.0/25 = any Service

    XLate Source = 192.168.40.129 (PAT) Dest = XLateService Original XLate = Original

    With the NAT rule like this, the Web page only FACT NOT work. We get a Timeout of SYN, and looking at the logs, the AnyConnect client source address does not PAT would have to 192.168.40.129

    BUT...

    If I change the NAT rule for this...

    Source = sub-VPN-network Dest = 192.168.40.0/25 = any Service

    XLate Source = 192.168.40.129 (PAT) XLate Dest = 192.168.40.10 XLateService = Original

    THIS WORKS! The source address does get PAT'd from 192.168.40.129.

    BUT... the problem is now, that if the AnyConnect client attempts to access any other IP in 192.168.40.0/25, the destination address gets changed all the time at 192.168.40.10.

    I am new to ASA 8.3, so I was wondering if I'm missing something with how NAT rules changes since earlier versions of ASA...

    Can anyone help?

    Thank you

    Mario Rosa

    Hello

    The only reason to see a NAT rule that is configured at the top for not having applied are

    • The "permit same-security-traffic intra-interface" is NOT configured, but in this case, it's since we have already taken the exit "packet-tracer"
    • There is of course the possibility that networks of NAT rules match any traffic entering the ASA
    • Naturally, there is the change of a bug that there were several.

    If there is no clear reason for the rules does not match NAT do not, then I suggest opening a case of TAC or upgrade / downgrade to another level of software to determine if an error is the cause.

    I don't know if you mentioned the software level that you use?

    -Jouni

  • AnyConnect Client AnyConnect communication

    Hello

    We have users that are connected via AnyConnect that cannot communicate with each other using their software phones during extension call. They can communicate with each other when using 7 digits well. They use Split tunnel and we have unchecked network list under the internal policy of the Group and added the AnyConnect subnets. They can call for any other network but network AnyConnect. Is there a defect that does not allow AnyConnect AnyConnect communication?

    Also, I got their firewalls, turn to users and they still couldn't call or ping or tracert.

    Is it possible for a client AnyConnect ping on another AnyConnect client that is on the same subnet?

    Any suggestions?

    Thank you, Pat.

    You can remove the following because it is not necessary ("clear xlate):

    NAT (outside, outside) static source AP-SSLDHCP destination interface static any_vpn any_vpn

    It's OK that the OSPF is advertising and redistribute, so not know internal OSPF routers to send the 10.3.8.0 subnet to the ASA.

    And when I say roads that overlap, I mean when you have for example 10.3.8.0/21 pointing inward, you need to configure more specific routes (10.3.8.0/22) pointing outward. Otherwise, it's going to be routing inwards and the loop since the supposed to exist outside vpn pool. Routing should be good, because you can access internal networks, so I wouldn't change anything regarding the roads.

  • Automatic demotion of the Anyconnect Client (router IOS)

    Hello

    We run a Cisco Anyconnect client with a router IOS environment (2921) as the lead aircraft.

    We have upgraded the client package on the router to the latest version 3.1.13015. After installing this package on the customers, we discovered a bug. Windows-based computers are not able to establish a VPN connection more (authentication and auto-package-level still works, but then an error message is displayed ("unable to cannot" or similar).)

    I returned the package on the router back to an older version (3.1.11004), but is not beeing auto-installe when a client with the new version (buggy) connects.

    Is it possible to configure the router to force a downgrade to the customers, or is the only way to workaround to manually uninstall the package on clients?

    Thank you

    Heinz

    No you can't auto-downgrade the station clients.

    Unfortunately, you will need to uninstall it from the client end, then get the right package (older) of the router.

  • AnyConnect client... SSL vs. IPSec

    Hello

    I have a few questions on the Anyconnect VPN remote access.

    The anyconnect client works with SSL or IPSec ISAKMPv2? Y at - it no default or the default method?

    Where you would identify what method you choose? The anyconnect client automatically detects the type (SSL or IPSec)-based VPN server? How does the SSL over IPSec works in this case?  What is new ANyconnect 4.xclient?

    I would say that 90% or more customers use SSL.

    IPsec IKEv2 is used mainly by two categories of people:

    1. those who have need of next gen cryptographic algorithms for legal or regulatory reasons

    2. those who have had lovers, or CCIE candidates configure their VPN (joke - just a little bit)

    Is, when it is implemented correctly, did a good job to secure your traffic.

    The server (for example, the ASA) defines the method and the client that honors due to the associated connection profile that updates / downloads from the server.

    This initial process, even if you have IPsec IKEv2, normally happens over SSL as part of the preamble of IPsec session establishment. Manually, you can eliminate this small, but it is generally more trouble that it's worth.

  • Error installing AnyConnect client v3.1.07021 on Windows 8.1

    Hi people, I'm trying to install the d'anyconnect-win-3.1.07021-pre-deploy-k9.msi anyconnect client (confirmed working on the machine of another user), and at the end of the installation process, I get the following error:

    There is a problem with this Windows Installer package. A program run as part of the Setup did not finish as expected. Contact your provider to support personal or package.

    Accept the error supports installation, and the customer will not be installed.

    I checked the windows logs and found this one:

    Product: Cisco AnyConnect Secure customer mobility - error 1722. There is a problem with this Windows Installer package. A program run as part of the Setup did not finish as expected. Contact your provider to support personal or package.  Action VACon64_ndis6_Install, location: C:\Program Files (x 86) \Cisco\Cisco AnyConnect Secure Mobility Client\VACon64.exe, command:-install "C:\Program Files (x 86) \Cisco\Cisco AnyConnect Secure Mobility Client\\vpnva-6.inf" VPNVA

    Can someone provide to advance this one?

    Kind regards

    Brendan

    Will you please follow this document and it should address the issue.

    Kind regards
    Dinesh Moudgil

    PS Please rate helpful messages.

  • AnyConnect Client timeout

    Sorry if this question has already been addressed in another thread. I looked and found nothing, so I post here.

    We currently use the anyconnect client on of our ASA5520. The only question I have now is that the time-out is not

    seem to work correctly. I have never disconnected Timeout Idle current group policy set to 30 minutes and customers

    unless you disconnect manually.

    At first, I thought that KeepAlive or DPD has some how this affects. But after testing, they seem not to be. It seems

    that the timeout works everything simply. Anyone have any ideas of what I'm missing? Or the inactivity timeout function simply not work?

    Thank you!

    Jeff

    I look at the idle time-out as inheritance characteristic due to the fact that modern operating systems is inherently chatty.  If you run a sniffer on the AnyConnect AV and then let the PC for a few minutes, you can capture all kinds of packets to and from the client, even if you are not actively working on the PC.  If your intention is to manage user sessions, you can set a max session.  Once the maximum session time is reached, the user will be disconnected from the system.  Users must then reconnect if they require a continuous network access.  Dead Peer Detection is the mechanism used by the client or network to quickly detect a condition where the peer does not respond and the connection has failed.  For example, in a perfect world, all users of AnyConnect will right-click on the icon and click on disconnect to gracefully disconnect the session.  In reality, users might lose their connection to the Internet, on the eve of their PC when connected, etc..  Without DPD, head of network device will retain the now obsolete session information where the SSL client tries to reconnect.  Needed manual intervention by an administrator to manually disconnect sessions.  With DPD, the head can recognize the loss of conectivity to the customer and terminate the session information.  DPD is a Hello and ACK process between client and server.  If a series of Hello messages don't that would acknowledgment, the related session information are deleted from the client or server.  It is maintained by SSL and is not connected to the network traffic related timeout.

    Here are a few links for your reference.  Please let me know if I can be more useful.

    http://www.Cisco.com/en/us/docs/security/ASA/asa80/configuration/guide/SVC.html#wp1072975

    http://www.Cisco.com/en/us/docs/security/ASA/asa80/configuration/guide/vpngrp.html#wp1134794

  • AnyConnect client reconnects after 1 minute

    AnyConnect client reconnects after 1 minute; WHY

    version 3.1.02026

    ASA:asa911 - k8.bin

    [25/04/2013 08:16:11] Establish the VPN session...

    [25/04/2013 08:16:11] Checking for updates to profile...

    [25/04/2013 08:16:11] Checking for updates...

    [25/04/2013 08:16:11] Checking for updates of customization...

    [25/04/2013 08:16:11] Execution of required updates...

    [25/04/2013 08:16:12] Establish the VPN session...

    [25/04/2013 08:16:12] Setting up VPN - initiate the connection...

    [25/04/2013 08:16:12] Setting up VPN - examining the system...

    [25/04/2013 08:16:12] Setting up VPN - activation card VPN...

    [25/04/2013 08:16:15] Setting up VPN - configuration system...

    [25/04/2013 08:16:16] Establish a VPN...

    [25/04/2013 08:16:16] Connected to my.vpn.com.

    [25/04/2013 08:16:16] Connected to my.vpn.com.

    [25/04/2013 08:17:19] Reconnection to my.vpn.com...

    [25/04/2013 08:17:19] Setting up VPN - examining the system...

    [25/04/2013 08:17:24] Setting up VPN - activation card VPN...

    [25/04/2013 08:17:25] Setting up VPN - configuration system...

    [25/04/2013 08:17:25] Establish a VPN...

    [25/04/2013 08:17:25] Connected to my.vpn.com.

    [25/04/2013 08:17:25] Reconnection to my.vpn.com...

    [25/04/2013 08:17:25] Setting up VPN - examining the system...

    [25/04/2013 08:17:25] Setting up VPN - activation card VPN...

    [25/04/2013 08:17:25] Setting up VPN - configuration system...

    [25/04/2013 08:17:25] Establish a VPN...

    [25/04/2013 08:17:25] Connected to my.vpn.com.

    [25/04/2013 08:16:11] Establish the VPN session...

    [25/04/2013 08:16:11] Checking for updates to profile...

    [25/04/2013 08:16:11] Checking for updates...

    [25/04/2013 08:16:11] Checking for updates of customization...

    [25/04/2013 08:16:11] Execution of required updates...

    [25/04/2013 08:16:12] Establish the VPN session...

    [25/04/2013 08:16:12] Setting up VPN - initiate the connection...

    [25/04/2013 08:16:12] Setting up VPN - examining the system...

    [25/04/2013 08:16:12] Setting up VPN - activation card VPN...

    [25/04/2013 08:16:15] Setting up VPN - configuration system...

    [25/04/2013 08:16:16] Establish a VPN...

    [25/04/2013 08:16:16] Connected to my.vpn.com.

    [25/04/2013 08:16:16] Connected to my.vpn.com.

    [25/04/2013 08:17:19] Reconnection to my.vpn.com...

    [25/04/2013 08:17:19] Setting up VPN - examining the system...

    [25/04/2013 08:17:24] Setting up VPN - activation card VPN...

    [25/04/2013 08:17:25] Setting up VPN - configuration system...

    [25/04/2013 08:17:25] Establish a VPN...

    [25/04/2013 08:17:25] Connected to my.vpn.com.

    [25/04/2013 08:17:25] Reconnection to my.vpn.com...

    [25/04/2013 08:17:25] Setting up VPN - examining the system...

    [25/04/2013 08:17:25] Setting up VPN - activation card VPN...

    [25/04/2013 08:17:25] Setting up VPN - configuration system...

    [25/04/2013 08:17:25] Establish a VPN...

    [25/04/2013 08:17:25] Connected to my.vpn.com.

    the newspaper is not enough

    Get more journal of asa

    Sent by Cisco Support technique iPad App

  • Using VPN to push the update of the AnyConnect client

    Hello - we would use our ASA VPN device to push the latest AnyConnect to our user base. Previously, due to the requirement that the user has administrator rights to install, we could not do this and had to return to SCCM to push upgrades the AnyConnect client. We now have software that will allow the client to load as an administrator, even if the user is not an administrator on the system. Viewfinity is the name of the software.

    My question is on the speed control. I don't want to set up the VPN to push the new AnyConnect, and every user who logs in then gets the installation. We would rather control, based on the group if possible, which gets the new client. This limits the risk if there is a problem to a subset of VPN users and not all that connect and you're trying to download. I can't find a config or config guide which indicates that it is possible. What is there, no one knows if it is or isn't an option? If this isn't the case, we would have to assume a lot of risk for new customers of 1100 deployment in a day, a number of type we plugged on any given business day. Please notify.

    Thank you very much for your help.

    The f

    Hi Jeff,

    There is no option to enable the auto update by connecton profile.

    What you can do however, is to disable this feature on the XML profile, since the XML profile can be defined by group policy, you simply deploy the profile either by having users connect to the specific group tunnel where group policy with the No auto update profile XML or deploy the XML profile manually on each machine.

    Please see this:

    Automatic update

    true

    (Default) Automatically install new packages.

    fake

    Doesn't install new pacakges.

    http://www.Cisco.com/en/us/docs/security/vpn_client/AnyConnect/anyconnect30/Administration/Guide/ac13vpnxmlref.html#wp1220030

    In the profile XML (to disable):

    fake

    Where to find the profile?

    OPERATING SYSTEM

    The directory path

    Windows 7 and Vista

    C:\ProgramData\Cisco\Cisco AnyConnect secure mobility Client\Profile\

    Windows XP

    C:\Document and Settings\All Users\Application Data\Cisco\Cisco AnyConnect secure mobility Client\Profile

    MAC OS X and Linux

    / opt/cisco/anyconnect/profile /.

    http://www.Cisco.com/en/us/docs/security/vpn_client/AnyConnect/anyconnect30/Administration/Guide/ac02asaconfig.html#wp1409000

    Let me know.

    Thank you.

    Portu.

    Please note all messages that you find useful.

    Post edited by: Javier Portuguez

  • Cisco AnyConnect Client - specify the certificate store in profile

    Hi all

    Running Cisco AnyConnect Client version 2.5.2019 with Cisco ASA 5510 version 8.4 (1)

    I can't get the work certificate (see attached picture) store profile option. I put this to the user, when it is set correctly it spreads to the customer as you can see in the file of configuration on the client computer, but it does not seem to enter into force.

    When a user is connected which has admin rights, and thus access to two local stores machine and the user must correctly a certificate store of the local computer. I know that there is a valid certificate in the store of users for these users as if I delete the local cert machine it takes so the cert of the user.

    No problem for users without admin rights they do not have access to the local computer store.

    Someone has any ideas why this doesn't work?

    Jason

    Hi Jason

    It seems that the ASA is actually still push the old profile to the client.

    From the CLI, check:

    cache dir: / SC/profiles

    more cache: / SC / profiles /.

    I guess this will show you the old profile.

    How do you have it change exactly? Using the profile in ASDM Editor? You push 'applies' later, do you have errors?

    In any case, use "disk0 more:" to verify that the profile on flash is correct (i.e. that there not the serverlist), then force the ASA to re - load this file using:

    conf t

    WebVPN
    SVC profiles disk0: /.

    Then check "hide: / stc / profiles /" once again to check it took it.

    HTH

    Herbert

  • Differences and similarities between standard customer VPN and AnyConnect Client

    I have the experience of using the Cisco VPN client and the configuration to the ASA

    are with Crypto Maps and others to help establish what I consider 'normal VPN' tunnels.

    I have (my company is a partner of Cisco) meeting with a client of perspective tomorrow to discuss FW and VPN solutions.

    I'm trying to digest today, what are the other Options VPN.

    ASDM shows 3 boxes under Setup > remote access VPN.  The 3 options are (in this order):

    Clientless SSL VPN Remote Access (using the Web browser) THAN THAT I UNDERSTAND

    Remote access SSL VPN (using Cisco AnyConnect Client) what I DO NOT UNDERSTAND

    Remote access IPsec VPN (using the Cisco VPN Client) THAN THAT I UNDERSTAND

    Before you see these choices on the SAA, I felt that 'Remote access SSL VPN' using a Web browser.  What is the AnyConnect Client, and what is a concrete example of when I would choose this option vs the other options VPN.

    Thank you

    Kevin

    I enclose a photo of what I am referencing above in order to eliminate any confusion...

    Kevin,

    You should check what file you download.

    For example, something like this:

    .pkg is the installer for the SAA (flash memory) so that it can be pushed to clients over SSL connections

    .msi is the executable file for the client operating system

    Federico.

Maybe you are looking for